search

ory / hydra

The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.55k stars 1.49k forks source link

Reading cookie in cross-site context will be blocked in future Chrome versions #3703

Open dannycarrera opened 8 months ago

dannycarrera commented 8 months ago

Preflight checklist

Ory Network Project

No response

Describe the bug

I have an instance of Ory Kratos and Ory Hydra running on site-a.com. I have an oauth browser client running on site-b.com. Currently, site-b.com is working but the warning in the title is shown.

I wasn't able to find any comments from Ory whether they are already working on this or if a solution is already implemented.

Reproducing the bug

  1. Run Ory Kratos
  2. Run Ory Hydra
  3. Run an OAuth Browser Client
  4. Login or return to a session on the Browser Client

Relevant log output

Cookies with the SameSite=None; Secure and not Partitioned attributes that operate in cross-site contexts are third-party cookies. In future Chrome versions, reading third-party cookies will be blocked. This behavior protects user data from cross-site tracking.

Relevant configuration

# Kratos
cookies:
  same_site: None

# Hydra
cookies:
  domain: site-a.com
  same_site_mode: None
  secure: true

Version

v2.2.0-rc.3

On which operating system are you observing this issue?

Windows

In which environment are you deploying?

Binary

Additional Context

No response

HIRANO-Satoshi commented 7 months ago

Chrome has started the deprecation of third party cookies since the last month. This is a serious issue.

For third party cookies there are two types of methods: Storage Access API (SAA) and Cookie Partitioning, such as CHIPS. Safari supports SAA but does not support partitioning, while Chrome supports CHIPS and has added support for SAA since version 119.

To utilize SAA, the content in the iframe should call the hasStorageAccess() API.

To utilize CHIPS, Hydra should add the partitioned attribute to cookies.

This blog post explains.

https://medium.com/miro-engineering/the-end-of-third-party-cookies-and-its-impact-on-miro-apps-and-integrations-ee73358cda1e

In short, Hydra should try SAA then fall back to CHIPS.

HIRANO-Satoshi commented 7 months ago

Firefox shows this.

Cookie “XXX” will soon be rejected because it is foreign and does not have the “Partitioned“ attribute.

When configuration has SameSite with "None" for 3rd party cookies, Hydra should add "Partitioned;" for the message. This is CHIPS.

A login dialog may use Storage Access API (SAA) if the API is available. I'm not sure how that works for silent refresh.

aeneasr commented 7 months ago

Accessing the Storage API will require a serious amount of work. Adding the partitioned attribute will not cause problems.

Regarding the opening post - this is about an iframe correct? Because in other use cases this should not be a problem (to the best of my knowledge) as we can still set cookies on redirects.

dannycarrera commented 7 months ago

@aeneasr This occurs with both redirect and iframe login methods.

With my limited understanding, I don't believe the issue is with setting cookies, but how the cookies are stored and made available to third parties for security reasons.

aeneasr commented 7 months ago

I cannot reproduce this issue with redirects. I also can't find any reference about redirects being blocked by 3rd party cookie phase out. I do know that there is an issue with embedded content (iframes) and apparently there is also a problem with ITTP from Safari in web views.

dannycarrera commented 7 months ago

My apologies. Upon deeper investigation the warning is being thrown when an img file is being requested and ory's cookies are forwarded by the browser.

Should I close this issue? It seems there is an actual issue here though that needs addressing.

HIRANO-Satoshi commented 7 months ago

This is an important issue. Please keep this open. As Chrome has already started rejecting cookies with samesite=None, Hydra needs to add support for the Partitioned attribute anyway.

@aeneasr wrote this for Golang's immediate support for the Partitioned attribute. I think waiting for it would loose time.

In addition to Chrome, Firefox also shows this (despite this).

Cookie “ory_hydra_login_csrf_dev_2630171196” will soon be rejected because it is foreign and does not have the “Partitioned” attribute.

We have two measures for 3rd-party cookie rejection. The Partitioned attribute to cookies with samesite=None (CHIPS), and the SAA that is a set of APIs for asking the user for permission of 3rd-party cookies with samesitge=None.

If the user gives permission against SAA, cookies with samesite=None and without Partitioned can be used for keeping login status among multiple sites.

However, even with the user's permission, if the cookies have the Partitioned attribute, they are partitioned and the user has to log in at each site.

So, adding a partitioned flag to config would be easy but spoil the chance.

I'm not sure about what Hydra should do. Adding the partitioned flag as an immediate fix first and adding something later would be a way.

Note that Google provides yet another measure called Federated Credential Management API (FedCM).